The Circle of Trust

I have a new use for TrustFabric… to control who can view photos of Mia.

I enjoy taking photos. I take a few thousand a year. I’m guessing about 60% involve my daughter Mia.

I’m pretty sure I don’t want to put photos of her on Facebook… all kinds of paranoia and privacy issues. I don’t like Flickr or any kind of cloud hosting… again, paranoia and the need for easy backups.

So, I used to simply host my photos on my own server, with no access control, but I would only send the link to close friends. It was easy for friends, no need to remember a username/password, but you could probably guess the link if you wanted to.

So, I have a new scheme: Client side x509 certs.

Sure, friends probably need to spend 10min to get it working, but I’m all for investing a bit of time initially to make life easier over time.

How it works:

1) Friends register at
2) They request a Network Access cert, which contains their TFUUID and install the cert in their browser.
3) I configure my Apache to require a valid TrustFabric cert to view a URL and setup a list of TFUUIDs I allow.

No username/password to remember. Strong crypto (4096bit). Easy to managed on my side. Sure, you could do this with usernames and passwords, but I think this is much cooler.

What’s interesting here is that you could easily use this to setup a closed distributed social network. Control access to your blog or photos or an application. Kinda like the single-sign-on enterprise vibe, but based on relationships. What’s probably more interesting is the “distributed” part. You don’t need to have people coming back to a website to show them ads to be part of this social network.. it does not consume attention. I like to think of it as social networking for grown ups.

How cool would this be: I configure my wifi hotspot at home to allow my friends (and all their friends). They show up and it just works. Maybe I’ll do this next week.

Apache config snippet:

<directory "/var/www/swimgeek/foooo">
Order allow,deny
Allow from all
SSLVerifyDepth 1
SSLVerifyClient require
SSLOptions +ExportCertData +StdEnvVars +StrictRequire +FakeBasicAuth
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ and %{SSL_CLIENT_I_DN_CN} eq "Fooo CA" )
AuthType Basic
AuthName "Mia Photos"
AuthUserFile /blah/password/foooo
Require valid-user

You have to manage a password file using this, but it’s pretty easy to use some of the other auth modules like db or ldap or radius.

Update: 23 Jan

I managed to install a TrustFabric cert on my iPod touch (iOS 4.2.1) and use it to to browse the protected photos. Fairly easy to get going.. I was bored at gym.